chore(release): v0.5.0

[LanNguyenSi]

Release v0.5.0

Cuts a release covering PRs #69 through #77 since v0.4.1: OSV.dev as a second CVE source, the UI hardening pass, the notification/policy pipeline wiring, scanner-correctness fixes, and MCP v0.3.0 tools. Full notes in CHANGELOG.md.

Version bumped to 0.5.0 (package.json + lockfile). On merge, push the v0.5.0 tag to fire release.yml (CI + a GitHub Release built from the CHANGELOG section).

Dogfood (live, against the 0.5.0 code already deployed at 8697daa)

• depsight_get_overview: 38 repos, all freshly auto-scanned at 18:15-18:16 (after the deploy), so the auto-scan cron ran on the new code; the aggregate (406 CVEs, health 66, top-risky and most-outdated) renders.
• depsight_get_cves (depsight repo, post-OSV scan): 16 advisories, correctly deduped (several distinct next CVEs, no duplicate rows), with vulnerableRange/fixedVersion and NVD reference URLs consistent with the OSV source path.
• depsight_get_deps: 31 deps with correct installed-version ages and up-to-date / outdated / major-behind classification.
• The deploy health gate stayed green; the post_update prisma db push synced the new source and ecosystem columns in 95ms.

Dogfood finding (follow-up, not a blocker)

• The scan API (and therefore the MCP depsight_get_cves and the AdvisoryList UI) does not serialize the new Advisory.source field, so dependabot-vs-osv is not visible to users. Filed as a follow-up task. The dedup and counts work correctly internally.

Refs: depsight Welle 1-4